What is HTTPS?

HTTPS is the transport layer protocol TLS added to HTTP, that is, HTTPS = HTTP + TLS.

What does HTTPS do?

HTTP is plaintext transmission. Network packets transmitted using HTTP can be obtained by any node (such as router, DNS server, and network service provider) in the communication process. These nodes may read and tamper with the content of network packets, resulting in communication failure or damage or loss. However, the network packet transmitted through HTTPS is encrypted, and the intermediate node cannot read or tamper with the network packet effectively, which makes the communication process secure and reliable.

How does HTTPS work?

If intermediate nodes cannot understand the data in the network packet, they need to encrypt the data. To encrypt the data, they need to use the key. The key that is known only by the communication parties and not anywhere else is a good key. So how do you make the key known only to both parties?

If the number of devices is small, it is also possible to deploy them one by one. However, generally speaking, the communication parties do not know the existence of the other party before the communication, and one party tells the other party that the key will be obtained by the intermediate node, so a reliable third party is needed. If the communication parties trust the third party, then under the role of the third party, the communication parties can establish trust, so as to complete reliable communication. This third party is the CA certificate.

A CA certificate is a certificate (purchased by the company) issued by the CA organization to the server. The certificate contains fingerprints, signature algorithms, and the public key of the server. Browser vendors and CA organizations are deeply cooperative, and browsers have top-level CA certificates built in.

With the help of a trusted third party, the browser and server begin HTTPS communication:

  • The browser sends an HTTPS communication request to the server, including the TLS version number, password suite, and random number C supported by the browser

  • The server selects the appropriate encryption protocol and sends the certificate, TLS version number to use, password suite, and random number S

  • The browser uses the top-level certificate to verify the validity of the certificate sent by the server

  • The browser generates a random pre-master number and encrypts it with the public key in the certificate sent by the server

  • The browser sends the encrypted pre-master to the server

  • The browser calculates the key for subsequent communication according to random number C, random number S and pre-master (symmetric encryption key)

  • The browser sends Change Cipher Spec to indicate that subsequent sessions are encrypted

  • The browser sent a Finished request containing the verification information about the handshake data

  • The server decrypts the pre-master using the private key, and calculates the key according to the random number C, S and pre-master (the same as that of the browser).

  • The server sends the Change Cipher Spec message to indicate that subsequent sessions use encrypted communication

  • The server sent a Finished request containing verification information about the handshake data

Why use two encryption methods?

CA certificate encryption and decryption means that a pair of public and private keys are generated on the server. The public key is given to the CA organization, which makes a CA certificate and then gives it to the server. The private key is kept by the server. Asymmetric encryption is used to encrypt the private key with the public key and the private key with the public key. The main algorithm is RSA, which consumes CPU power. In addition, the encryption length is 2048 bits, meaning that the encryption content does not exceed 256 bytes.

The browser generates the key and the server generates the same key using the same algorithm and parameters called symmetric encryption. Common algorithms include AES and DES. The algorithm has a small amount of computation, accounting for only one thousandth of that of the asymmetric algorithm. It is suitable for data encryption at the application layer.

Reference:

Interview Question – Network Basics -HTTPS Connection process

HTTPS Specifies the process for establishing a connection

Why IS HTTPS Secure